Jan 04, 2010

Chapter 7.1 Big Brother's Revenge

This
is
another
excerpt from my book on technology, terrorism, and
DHS, tentatively titled "Skating on Stilts." (If you want to
read the excerpts in a more coherent fashion, try the categories on the
right labeled "Excerpts from the book." I'm afraid I can't fix the bug
in TypePad that prevents me from putting them in the category in
reverse-chronological order, but I have started putting chapters up in
pdf form from time to time.) Comments and factual quibbles
are welcome, either in the comments section or by email:
fact.check.baker@gmail.com. If you're dying to order the book, send
mail to the same address.

--Stewart Baker

S

omehow, this problem too ended up on DHS’s plate. We were supposed
to figure out what could be done to improve the country's network security.

It was a snakebitten assignment. Two Presidential cybersecurity
strategies – one devised by the Clinton Administration and one by the Bush
Administration -- had already run into the ground before DHS was created.

Perhaps those who created DHS hoped that it could succeed where
two Presidents had failed. In any event, they gave the new department
responsibility for civilian cybersecurity. The National Communications System,
which ensures the availability of telecommunications in the event of an
emergency, was transferred from Defense. The FBI gave up its National
Infrastructure Protection Center, which focused on cybersecurity (and promptly
recreated the capability under another name so that it could keep fighting for
the turf). The Federal Computer Incident Response Center, which handled
computer incident response for civilian agencies, came over from the General
Services Agency.

These offices fit well with other DHS missions.Two of its big components -- the Secret
Service and Immigration and Customs Enforcement -- havecybercrime units. And DHS was supposed to
protect from physical attack the critical infrastructure on which the economy
depends.

In carrying out these duties, DHS could get technical help from
the National Security Agency, which was in charge of protecting military and
classified networks. But the responsibility for civilian cybersecurity
obligations left DHS on the hot seat. If we couldn’t find a way to head off
disaster, no one else in government would.

For the first few years of the department’s existence, to be
candid, we didn’t accomplish much. There were lots of reasons for that. Fixing
travel and border security was more urgent. Staff turnover was high and
expertisethin in our cybersecurity
offices. But the real reason we didn’t get far was that the same forces arrayed
against change in the travel arena were lined up against change in information
technology.

Businesses had staked their futures on continued exponential
growth in information technology. They didn’t want policy changes that might
change the slope of that curve even a little. Privacy groups instinctively
opposed anything that would give the government more information about, well,
about anything. And even when it was supportive, the international community
was so slow to change direction that it posed an obstacle to any policy that
was less than twenty years old.